ADMINISTRATOR
encrypted data sizes. Take advantage of the
reduced cost of encryption on IBM z14 to layer
security and data protection.
Pervasive encryption includes Linux* on
z Systems* and LinuxONE*, where transparent
volume encryption is now available. It uses CPACF
protected keys to ensure clear key material isn't
exposed to software. When
configured to use AES-XTS,
which is recommended, volume
encryption enjoys the same CPACF
performance benefits on z14.
z/VM* V6.4 now supports
encrypted paging using CPACF to
Beyond RACF & SIEM:
Protecting the Realm When
Access Control Fails
Wednesday, January 17 | 1 ET / Noon CT
FEATURING:
Hoping no one attacks you
is not a solution!
If you are not worried about hackers
stealing mainframe data or imbedding
ransomware, you should be.
In large organizations credential theft is
an everyday occurrence. Traditional access control solutions (RACF, CA-ACF/2,
CA-TopSecret) are ineffective when they
are up against stolen credentials. By
the time SIEM event logging determines
a problem exists, it is typically far too
late. MainTegrity and zDetect eliminate
these exposures, bringing a new dimension of security to the mainframe world.
Allen Saurette
Security Evangelist
MainTegrity Inc.
SPECIAL GUEST:
Chad Rikansrud
Managing Director NA
RSM Partners
Register Today: webcasts.com/ibmsystemsmag
sponsored advertising content
38 // JANUARY/FEBRUARY 2018 ibmsystemsmag.com
prevent access to sensitive data
on volumes.
Encrypting
Data in Transit
End-to-end encryption, which
includes encryption of data in
transit outside and within the
network, is a best practice for data
protection. Encryption of data at
rest at application, database and
data set levels is performed on the
host; thus, data flowing over the
SANs is encrypted.
For external communications,
z/OS applications can use
either SSL/TLS directly or
Application Transparent TLS
(AT-TLS) to encrypt network
traffic by policy. VPNs are
supported for node-to-node
application-transparent encryption
using Internet Protocol Security
and Internet Key Exchange.
Secure Shell using z/OS OpenSSH
is supported for secure FTP and
secure terminal access.
z/OS 2.3 Communications
Server introduces the z/OS
Encryption Readiness Technology
(zERT), for monitoring traffic
and auditing cryptographic
algorithms and key sizes
negotiated for connections.
zERT can help identify users
affected by cryptographic
vulnerabilities through new SMF
Type 119 Subtype 11 records,
which include information
about user IDs, address spaces,
crypto protocols, job names,
IP addresses, ports, negotiated
cipher suites and algorithms.
Data on IBM Z also flows through
coupling facilities (CFs), which
allow shared, serialized access
across LPARs. z/OS 2.3 allows
CFs to encrypt list and cache
structures to prevent sensitive
data leakage. When enabled,
CFs invoke ICSF to generate a
secure key and transform the key
into a protected key for use with
CPACF. CF encryption is entirely

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page.
If you would like to try to load the digital publication without using Flash Player detection, please click here.